Hello, I am starting this discussion to solicit joint interest in the lack of a "Details" link for events on a macOS machine. Please vote using the ideas link below if you share the same sentiment.
When responding to alerts in Sophos Central, the first thing I do is gather as much information as possible from the alert itself. Whether the endpoint is Windows or macOS, I need to be able to view details such as the file hash, raw detection data, file publisher, etc. in order to properly triage the alert.
After reviewing an alert, I go directly to the events tab of the device in question. On a Windows machine I am able to click a "Details" link for each of the events that were alerted on, as well as the events that may have preceded the detection. On a macOS machine no such link exists, so I am left relatively blind to details that are crucial to continue my investigation.
I was told that because many of the detections I was seeing were PUPs and PUAs, a detail link was not provided since they are not necessarily malicious in nature. However, I also encountered instances where I cannot see details for 'Malware detected: 'Mal/Phish-A' events either. In addition to this, I should be able to view details on PUP and PUA detections (just like is available in Windows) so that my teammates and I can make the determination on whether to block the application across our environment.
Example 1 - No event details for detection on macOS machine (Malware detected: 'Mal/Phish-A')
Example 2 - No event details for detecion on macOS machine (PUP)
Windows OS example, PUP/ PUA showing event details
Hi txmx ,
Please let me confirm this with my team and get back to you in this.
Community Team Lead, Support & Services| Sophos Technical Support Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
Thanks, Yashraj I have submitted a support case (#9128470) that is now closed and I have also brought this up with my TAM, but I wanted to reach a broader audience and post here. Appreciate you following up on this. I'd like to know what the limitations are in implementing this for macOS, if any.
I would agree with this assessment, I mange a couple iMacs or OSX installs and the details are limited.
I manage a couple thousand Mac clients and the limited details is downright embarrassing. What a crap product.
Trojan Horse how do you conduct your security investigations with so little details? We are trying to figure out a flow for this, but haven't dealt much with Mac investigations before.
Unfortunately without all of the proper info, we don't. We just click resolve and move on .. the crazy thing, with Intercept X, it doesn't even tell us that it cleaned something up. I just noticed by looking at an infected computer that it indeed did clean up the thing it found (it told the end-user it cleaned it up but not the console?).